Three Active Security Threats Hitting Businesses This Week

Three security issues are making the rounds right now, and at least two of them are directly relevant to businesses running Microsoft 365 or on-premises Exchange. None of this is exotic or theoretical. Active exploitation is confirmed on the most serious one, and the second is being sold as a ready-made kit to criminals for less than the price of a second-hand car.

Exchange Server: Apply Mitigations Today

Microsoft disclosed CVE-2026-42897 on 14 May. It’s a flaw in Outlook on the Web, the webmail interface staff use when logging in from home, a hotel, a client’s office. An attacker sends a crafted email; the recipient opens it in their browser; code runs without them doing anything wrong. Active exploitation is confirmed. No patch yet, but mitigations are available.

Important distinction: this only affects businesses still running their own Exchange server on-site (versions 2016, 2019, or Subscription Edition). If you’re on Microsoft 365, you’re not at risk.

If you are running on-premises Exchange, check that Microsoft’s Emergency Mitigation Service has applied the fix automatically. You can verify using the Exchange Health Checker script. If the server has no internet access, you’ll need to run the mitigation tool manually.

On-premises Exchange has been one of the most reliably targeted products in the industry for four years straight. If moving to Microsoft 365 has been sitting on the “too complicated” pile, this is a reasonable week to move it to the top. We’ve written before about Microsoft’s May security patches and how to prioritise them.

Device-Code Phishing: It Gets Past MFA

The second threat is more subtle. Device-code phishing doesn’t steal passwords. It doesn’t intercept MFA codes. Instead, it abuses a legitimate part of how Microsoft handles sign-ins for devices that don’t have a keyboard, things like smart TVs and printers, to trick staff into handing over a fully authenticated session.

Here’s how it plays out in practice. A convincing email arrives, often looking like a DocuSign request or a shared document. It asks the recipient to enter a short code into what looks like a normal Microsoft login page. MFA fires, the user approves it, everything looks legitimate. But the access goes to the attacker, not the intended service. Your MFA worked exactly as designed. The problem is who ended up with the result.

With that token, the attacker has access to email, Teams, OneDrive, everything. Toolkits selling this capability are available to criminals for around £1,200 plus a monthly fee. According to Barracuda’s research, one kit alone drove 7 million attempts in four weeks.

What to do: in Microsoft 365, review your Conditional Access policies and consider blocking the device-code authentication flow for most users. Most office workers never need it. If developers or specific tools do need it, restrict it to those accounts only. Also worth auditing recent sign-in logs for anything suspicious, and reminding staff not to enter verification codes they didn’t personally trigger.

If your business has been relying on MFA alone and hasn’t revisited Conditional Access settings recently, this is worth a proper check. It’s also one of the things insurers look at when a claim comes in after a breach, and cyber insurance claims are being rejected more often than you’d think for exactly this kind of gap.

npm Supply Chain: A Developer Problem That Reaches Your Business

The third issue is less urgent but worth knowing. OpenAI recently confirmed that two of its developer machines were compromised through poisoned npm packages, JavaScript libraries that developers routinely install when building websites and tools. The malware was part of a campaign that dressed itself up with a Dune reference. Attackers, apparently, read.

For most businesses this is one step removed: if your website or any of your business tools were built, or are actively maintained, by a developer or agency, their working environment is part of your risk picture. It’s reasonable to ask them what checks they have on the third-party libraries they install. Do they scan for known vulnerabilities? Do they lock dependency versions so nothing updates unexpectedly? If those questions get a blank look, that’s useful information.

The NCSC has published guidance on software supply chain security if you want a starting point for that conversation.

All three of these are the kind of threat that looks manageable on paper and genuinely messy in practice. For businesses across North Wales without a dedicated IT team to work through it, Dragon Digital handles this kind of security review and keeps an eye on the monitoring that catches problems early. Worth a conversation if any of these have raised questions about your current setup.